CN111565377A - Safety monitoring method and device applied to Internet of things - Google Patents
Safety monitoring method and device applied to Internet of things Download PDFInfo
- Publication number
- CN111565377A CN111565377A CN202010292027.8A CN202010292027A CN111565377A CN 111565377 A CN111565377 A CN 111565377A CN 202010292027 A CN202010292027 A CN 202010292027A CN 111565377 A CN111565377 A CN 111565377A
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- terminal
- event information
- same type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/009—Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/68—Gesture-dependent or behaviour-dependent
Abstract
The application provides a safety monitoring method and a safety monitoring device applied to the Internet of things, wherein the method comprises the following steps: the method comprises the steps that a threat perception platform collects event information of preset behaviors occurring at an Internet of things terminal, wherein the event information is collected by a program running at the Internet of things terminal; integrating event information of terminals of the Internet of things belonging to the same model or the same type and extracting effective behavior characteristics from the integrated event information; and identifying the terminal of the Internet of things with the effective behavior characteristics deviating from the baseline characteristics of the same model or the same type to exceed a preset threshold value as an abnormal terminal based on the effective behavior characteristics. According to the application, the safety monitoring can be performed on the abnormal Internet of things terminal, and the safety is improved.
Description
[ technical field ] A method for producing a semiconductor device
The application relates to the technical field of computer networks, in particular to a security monitoring method, a security monitoring device, security monitoring equipment and a computer storage medium applied to the Internet of things.
[ background of the invention ]
This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The Internet of Things (IoT) is an information carrier based on The Internet, traditional telecommunication networks, etc. that allows all common physical objects that can be addressed independently to form an inter-working network. With the development of the internet of things technology, a large number of internet of things terminals are accessed to the internet, but due to the fact that market growth is not achieved, the safety protection of the internet of things terminals still has many weak points. And because a large number of terminals of the internet of things are distributed at each corner of a network space, unified management cannot be carried out, and once the terminals of the internet of things are invaded, serious threats can be generated to network security and user privacy.
[ summary of the invention ]
In view of this, the present application provides a security monitoring method, apparatus, device and computer storage medium applied to the internet of things, so as to perform security monitoring on a terminal of the internet of things, and improve security.
The specific technical scheme is as follows:
in a first aspect, the present application provides a security monitoring method applied to the internet of things, including:
the method comprises the steps that a threat perception platform collects event information of preset behaviors occurring at an Internet of things terminal, wherein the event information is collected by a program running at the Internet of things terminal;
integrating event information of terminals of the Internet of things belonging to the same model or the same type and extracting effective behavior characteristics from the integrated event information;
and identifying the terminal of the Internet of things with the effective behavior characteristics deviating from the baseline characteristics of the same model or the same type to exceed a preset threshold value as an abnormal terminal based on the effective behavior characteristics.
According to a preferred embodiment of the present application, the event information of the preset behavior includes at least one of:
file events, storage item change events, process events, and network connection events.
According to a preferred embodiment of the present application, the integrating event information of terminals of internet of things belonging to the same model or the same type includes:
and carrying out data cleaning and normalization processing on the event information of the terminals of the Internet of things belonging to the same model or the same type.
According to a preferred embodiment of the present application, the extracting effective behavior features from the data includes:
and inputting the vector representation of the event information of the terminal of the Internet of things into a coder for dimension reduction, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
According to a preferred embodiment of the present application, based on the effective behavior characteristics, identifying, as an abnormal terminal, an internet of things terminal in which the degree of deviation of the effective behavior characteristics from the baseline characteristics of the same model or the same type exceeds a preset threshold value includes:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension increasing processing, and determining the difference degree between the vector representation obtained by the dimension increasing processing and the vector representation of the event information of the terminal of the Internet of things;
and identifying the Internet of things terminal with the difference degree exceeding a preset threshold value in the Internet of things terminals of the same type or the same type as an abnormal terminal.
According to a preferred embodiment of the present application, before the integrating the event information of the terminals of the internet of things belonging to the same model or the same type, the method further includes:
judging whether event information of the terminal of the Internet of things contains characteristic behaviors generated by known attacks or not;
and identifying the terminal of the Internet of things containing the characteristic behaviors generated by the known attack as an abnormal terminal.
In a second aspect, the present application provides a security monitoring device applied to the internet of things, the device is disposed on a threat perception platform, and includes:
the system comprises a collecting unit, a processing unit and a processing unit, wherein the collecting unit is used for collecting event information of preset behaviors of the Internet of things terminal, which is collected by a program running on the Internet of things terminal;
the integration unit is used for integrating the event information of the terminals of the Internet of things of the same model or the same type;
the first identification unit is used for extracting effective behavior characteristics from the integrated event information, and identifying the Internet of things terminal with the effective behavior characteristics deviating from the baseline characteristics of the same model or the same type exceeding a preset threshold as an abnormal terminal based on the effective behavior characteristics.
According to a preferred embodiment of the present application, the event information of the preset behavior includes at least one of:
file events, storage item change events, process events, and network connection events.
According to a preferred embodiment of the present application, the integration unit is specifically configured to perform data cleaning and normalization processing on event information of terminals of the internet of things belonging to the same model or the same type.
According to a preferred embodiment of the present application, when extracting the effective behavior feature, the first identifying unit specifically performs:
and inputting the vector representation of the event information of the terminal of the Internet of things into a coder for dimension reduction, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
According to a preferred embodiment of the present application, the first identification unit specifically executes, when identifying, as an abnormal terminal, an internet of things terminal in which the degree of deviation of effective behavior characteristics from the baseline characteristics of the same model or the same type exceeds a preset threshold, based on the effective behavior characteristics:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension increasing processing, and determining the difference degree between the vector representation obtained by the dimension increasing processing and the vector representation of the event information of the terminal of the Internet of things;
and identifying the Internet of things terminal with the difference degree exceeding a preset threshold value in the Internet of things terminals of the same type or the same type as an abnormal terminal.
According to a preferred embodiment of the present application, the apparatus further comprises:
the second identification unit is used for judging whether the event information of the Internet of things terminals contains characteristic behaviors generated by known attacks or not before the integration unit integrates the event information of the Internet of things terminals of the same model or the same type; and identifying the terminal of the Internet of things containing the characteristic behaviors generated by the known attack as an abnormal terminal.
In a third aspect, the present application further provides an apparatus, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method as in any above.
In a fourth aspect, the present application also provides a storage medium containing computer-executable instructions for performing the method as described in any one of the above when executed by a computer processor.
According to the technical scheme, the safety detection method of the Internet of things can be used for carrying out safety monitoring on the abnormal Internet of things terminal and improving safety.
[ description of the drawings ]
Fig. 1 illustrates an exemplary system architecture of a security monitoring method or apparatus of the internet of things to which embodiments of the present invention may be applied;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a schematic diagram of an exemplary embodiment of an encoder-decoder;
fig. 4 is a structural diagram of a safety detection device according to an embodiment of the present application;
FIG. 5 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 shows an exemplary system architecture of a security monitoring method or apparatus of the internet of things to which an embodiment of the present invention can be applied.
As shown in fig. 1, the system architecture may include an internet of things terminal 101, a network 102, and a server 103. The network 102 is used to provide a medium for a communication link between the internet of things terminal 101 and the server 103. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may interact with a server 103 over a network 102 using an internet of things terminal 101. Various applications, such as a voice interaction application, a web browser application, a communication application, and the like, may be installed on the internet of things terminal 101.
The internet of things terminal 101 may be any internet of things terminal, including but not limited to smart home devices, smart wearable devices, smart transportation devices, smart environment monitoring devices, and the like. The threat awareness platform provided by the present invention may be disposed and run in the server 103 described above. It may be implemented as a plurality of software or software modules (for example, for providing distributed services), or as a single software or software module, which is not specifically limited herein. The server 103 may be a single server or a server group including a plurality of servers.
It should be understood that the number of internet of things terminals, networks, and servers in fig. 1 is merely illustrative. Any number of terminals, networks and servers of the internet of things can be provided according to implementation requirements.
Fig. 2 is a flowchart of a method provided by an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
in 201, the threat awareness platform collects event information of a preset behavior occurring at the internet of things terminal, which is collected by a program running at the internet of things terminal.
In the embodiment of the application, a program capable of monitoring and acquiring the internal running state of the terminal can be written for an internet terminal embedded platform, and the program is embedded into and runs on the internet of things terminal. The program can reside in a system of the terminal of the Internet of things and continuously monitor and acquire event information of preset behaviors occurring at the terminal of the Internet of things.
The event information of the preset behavior may include at least one of file events, storage item change events, process events, network connection events, and the like.
For example, the file event may include events such as file creation and deletion in a system disk writable partition of the terminal of the internet of things, and detailed information. The storage item change event may include a storage item change event and detailed information that can be written into a flash Memory, such as a Non-volatile random Access Memory (NVRAM) of the terminal of the internet of things. The process event may include events and detailed information such as creation and exit of a system process of the terminal of the internet of things. The network connection event may include events such as creation and destruction of a system network port of the terminal of the internet of things, and detailed information of a five-tuple (protocol, local address, local port number, remote address, remote port number) after connection establishment.
The program running on the terminal of the internet of things can send the collected event information to the threat sensing platform in a streaming or periodic mode through the network, and the event information is collected and stored by the threat sensing platform.
In 202, event information of terminals of the internet of things belonging to the same model or the same type is integrated and effective behavior features are extracted from the event information.
Generally speaking, under the condition that the internet of things devices of the same model or the same type operate in the same software system version, the collected event information should have more consistent behavior characteristics. When the behavior characteristics of some or certain internet of things equipment obviously deviate from the baseline, the possibility of being invaded is high. The application is a technical scheme based on the core idea.
After the threat sensing platform collects the event information of each internet of things terminal, the event information of the internet of things terminals of the same model or the same type can be subjected to data cleaning and normalization processing during integration. The data cleaning can filter out the event information obviously exceeding a reasonable value, the event information with an incorrect data format, the event information with data missing and the like, so that the left event information is effective.
In general, when the industry identifies an abnormal terminal, a clustering method such as K-Means is generally adopted, but the method mostly depends on manual experience when selecting a threshold, which causes misjudgment and has low accuracy.
The method and the device adopt a more intelligent neural network-based automatic encoder algorithm to realize unsupervised anomaly detection. When the effective behavior features are extracted, the vector representation of the event information of the terminal of the internet of things can be input into a coder for dimension reduction processing, and the obtained vector representation is used as the vector representation of the effective behavior features.
After the event information of the Internet of things equipment is normalized, vector representation formed by the event information of the Internet of things equipment can be obtained through mapping, and the dimensionality of the vector representation is consistent with the type number of the event information of the Internet of things equipment. For example, for each internet of things device, sixteen kinds of event information are collected, and then the event information of one internet of things device can be represented as a sixteen-dimensional vector. As shown in fig. 3, the vector representation is input into a self-encoder formed by a multilayer neural network to reduce the dimension of the multidimensional vector representation of the internet of things device, for example, sixteen-dimensional vectors such as a file event, a storage item change event, a process event, and a network connection event are reduced to two dimensions, in the process, the multilayer neural network automatically learns effective behavior features, and the effective behavior features are obtained from the two-dimensional vectors obtained by reducing the dimension. Namely, two-dimensional event information is automatically learned from the sixteen-dimensional vector, and the behavior features embodied by the event information are effective behavior features. Wherein the sixteen and two dimensions are only the dimensions listed in the present application, but the present application is not limited to the specific dimensions.
In 203, based on the effective behavior features, the internet of things terminal with the degree of the effective behavior features deviating from the baseline features of the same model or the same type exceeding a preset threshold is identified as an abnormal terminal.
In this step, the vector representation of the effective behavior characteristics can be input into a decoder formed by a multilayer neural network for dimension-increasing processing, and then the difference degree between the vector representation obtained by the dimension-increasing processing and the vector representation of the event information of the terminal of the internet of things is determined; and identifying the Internet of things terminals with the difference degrees exceeding a preset threshold value in the Internet of things terminals of the same type or the same type as abnormal terminals. For example, as shown in fig. 3, the two-dimensional vector obtained after the dimensionality reduction is raised to sixteen dimensions by a decoder formed by a multilayer neural network, and the sixteen-dimensional vector is compared with the sixteen-dimensional vector before the initial dimensionality reduction to determine the degree of difference. The difference degree can be determined for the terminals of the internet of things of the same model or the same type, and the difference degree of the terminals of the internet of things of the same model or the same type is averaged. If the difference degree of the terminal of the Internet of things deviates from the average value and exceeds a preset threshold value, the terminal of the Internet of things is identified as an abnormal terminal.
That is, the vector representation obtained by the dimension reduction processing is restored. For the learned effective behavior characteristics which can reflect the event information of the internet of things terminal most, based on an ideal condition, the difference between the vector before dimensionality reduction and the vector after dimensionality reduction is within a normal range, wherein the normal range is the difference degree basically reflected by the internet of things terminal of the same model or the same type. If the front and back vector errors of a certain internet of things terminal deviate from the normal range, the internet of things terminal can be considered as an abnormal terminal.
In the method, the effective behavior characteristics are obtained through self-learning of the multilayer neural network, the characteristic threshold does not need to be set manually, the algorithm based on the self-coding can greatly reduce misjudgment caused by manually selecting the characteristic threshold by the clustering algorithm, and the efficiency is higher.
For the identified abnormal terminal, the threat awareness platform may send an abnormal notification to the administrator, where the abnormal notification may include information of the abnormal terminal, such as information of an ID, a name, a model, a type, and the like of the abnormal terminal, and may further include event information of the abnormal terminal. The exception notification may be provided to the administrator visually, for example, through a system interface, or may be sent to a terminal of the administrator. Through innovation in the technology of security monitoring of the terminal of the Internet of things, the terminal manufacturer of the Internet of things or an information security supervision department can more effectively discover threats and respond in time.
Further, before performing step 202, it may be first determined whether event information of the terminal of the internet of things includes a characteristic behavior generated by a known attack, and if so, the terminal of the internet of things including the characteristic behavior generated by the known attack is identified as an abnormal terminal. The characteristic behavior generated by the known attack may be a characteristic behavior configured manually according to experience, may also be a characteristic behavior generated by the known attack and accurately identified in other manners, and may also be a characteristic behavior obtained by performing behavior characteristic analysis on the abnormal terminal identified in the manner provided by the embodiment of the present application.
The above is a detailed description of the method provided in the present application, and the following is a detailed description of the apparatus provided in the present application with reference to the embodiments.
Fig. 4 is a structural diagram of a security detection apparatus according to an embodiment of the present application, and as shown in fig. 4, the apparatus is disposed on a threat awareness platform in the foregoing method to implement the functions of the security awareness platform. The method specifically comprises the following steps: the collecting unit 01, the integrating unit 02 and the first identifying unit 03, and may further include a second identifying unit 04. The main functions of each component unit are as follows:
the collecting unit 01 is responsible for collecting event information of preset behaviors occurring at the internet of things terminal, which is collected by a program running at the internet of things terminal. Specifically, the event may include at least one of a file event, a storage item change event, a process event, and a network connection event.
The integration unit 02 is responsible for integrating event information of terminals of the internet of things belonging to the same model or the same type. Specifically, the event information of the internet of things terminals belonging to the same model or the same type can be subjected to data cleaning and normalization processing.
The first identification unit 03 is responsible for extracting effective behavior features from the integrated event information, and based on the effective behavior features, identifies the internet of things terminal, of which the degree of deviation of the effective behavior features from baseline features of the same model or the same type exceeds a preset threshold, as an abnormal terminal.
When extracting the effective behavior features, the first identifying unit 03 may input the vector representation of the event information of the internet of things terminal into the encoder for dimension reduction processing, and use the obtained vector representation as the vector representation of the effective behavior features.
When the internet of things terminal with the effective behavior characteristics deviating from the baseline characteristics of the same model or the same type exceeding the preset threshold is identified as an abnormal terminal based on the effective behavior characteristics, the first identification unit 03 can input the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determine the difference degree between the vector representation obtained by the dimension-increasing processing and the vector representation of the event information of the internet of things terminal; and identifying the Internet of things terminal with the difference degree exceeding a preset threshold value in the Internet of things terminals of the same model or the same type as an abnormal terminal.
Before the integration unit 02 integrates the event information of the internet of things terminals of the same model or the same type, the second identification unit 04 judges whether the event information of the internet of things terminals contains characteristic behaviors generated by known attacks; and identifying the terminal of the Internet of things containing the characteristic behaviors generated by the known attack as an abnormal terminal.
The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the unit is only a logical division, and other divisions may be realized in practice. The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
FIG. 5 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention. The computer system/server 012 shown in fig. 5 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in fig. 5, the computer system/server 012 is embodied as a general purpose computing device. The components of computer system/server 012 may include, but are not limited to: one or more processors or processing units 016, a system memory 028, and a bus 018 that couples various system components including the system memory 028 and the processing unit 016.
Computer system/server 012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 012 and includes both volatile and nonvolatile media, removable and non-removable media.
Program/utility 040 having a set (at least one) of program modules 042 can be stored, for example, in memory 028, such program modules 042 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof might include an implementation of a network environment. Program modules 042 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
The computer system/server 012 may also communicate with one or more external devices 014 (e.g., keyboard, pointing device, display 024, etc.), hi the present invention, the computer system/server 012 communicates with an external radar device, and may also communicate with one or more devices that enable a user to interact with the computer system/server 012, and/or with any device (e.g., network card, modem, etc.) that enables the computer system/server 012 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 022. Also, the computer system/server 012 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 020. As shown, the network adapter 020 communicates with the other modules of the computer system/server 012 via bus 018. It should be appreciated that although not shown in fig. 5, other hardware and/or software modules may be used in conjunction with the computer system/server 012, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 016 executes programs stored in the system memory 028, thereby executing various functional applications and data processing, such as implementing the method flow provided by the embodiment of the present invention.
The computer program described above may be provided in a computer storage medium encoded with a computer program that, when executed by one or more computers, causes the one or more computers to perform the method flows and/or apparatus operations shown in the above-described embodiments of the invention. For example, the method flows provided by the embodiments of the invention are executed by one or more processors described above.
With the development of time and technology, the meaning of media is more and more extensive, and the propagation path of computer programs is not limited to tangible media any more, and can also be downloaded from a network directly and the like. Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (14)
1. A safety monitoring method applied to the Internet of things is characterized by comprising the following steps:
the method comprises the steps that a threat perception platform collects event information of preset behaviors occurring at an Internet of things terminal, wherein the event information is collected by a program running at the Internet of things terminal;
integrating event information of terminals of the Internet of things belonging to the same model or the same type and extracting effective behavior characteristics from the integrated event information;
and identifying the terminal of the Internet of things with the effective behavior characteristics deviating from the baseline characteristics of the same model or the same type to exceed a preset threshold value as an abnormal terminal based on the effective behavior characteristics.
2. The method of claim 1, wherein the event information of the preset behavior comprises at least one of the following:
file events, storage item change events, process events, and network connection events.
3. The method according to claim 1, wherein the integrating event information of terminals of internet of things belonging to the same model or the same type comprises:
and carrying out data cleaning and normalization processing on the event information of the terminals of the Internet of things belonging to the same model or the same type.
4. The method of claim 1, wherein said extracting valid behavior features therefrom comprises:
and inputting the vector representation of the event information of the terminal of the Internet of things into a coder for dimension reduction, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
5. The method of claim 4, wherein identifying, as an abnormal terminal, an IOT terminal with valid behavior characteristics deviating from baseline characteristics of the same model or the same type by more than a preset threshold based on the valid behavior characteristics comprises:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension increasing processing, and determining the difference degree between the vector representation obtained by the dimension increasing processing and the vector representation of the event information of the terminal of the Internet of things;
and identifying the Internet of things terminal with the difference degree exceeding a preset threshold value in the Internet of things terminals of the same type or the same type as an abnormal terminal.
6. The method according to claim 1, wherein before the integrating the event information of terminals of internet of things belonging to the same model or the same type, the method further comprises:
judging whether event information of the terminal of the Internet of things contains characteristic behaviors generated by known attacks or not;
and identifying the terminal of the Internet of things containing the characteristic behaviors generated by the known attack as an abnormal terminal.
7. The utility model provides a be applied to safety monitoring device of thing networking, its characterized in that, the device sets up in threat perception platform, includes:
the system comprises a collecting unit, a processing unit and a processing unit, wherein the collecting unit is used for collecting event information of preset behaviors of the Internet of things terminal, which is collected by a program running on the Internet of things terminal;
the integration unit is used for integrating the event information of the terminals of the Internet of things of the same model or the same type;
the first identification unit is used for extracting effective behavior characteristics from the integrated event information, and identifying the Internet of things terminal with the effective behavior characteristics deviating from the baseline characteristics of the same model or the same type exceeding a preset threshold as an abnormal terminal based on the effective behavior characteristics.
8. The apparatus of claim 7, wherein the event information of the preset behavior comprises at least one of:
file events, storage item change events, process events, and network connection events.
9. The device according to claim 7, wherein the integration unit is specifically configured to perform data cleaning and normalization processing on event information of terminals of the internet of things belonging to the same model or the same type.
10. The apparatus according to claim 7, wherein the first identification unit, when extracting the valid behavior feature, specifically performs:
and inputting the vector representation of the event information of the terminal of the Internet of things into a coder for dimension reduction, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
11. The apparatus according to claim 10, wherein the first identifying unit specifically performs, when identifying, as the abnormal terminal, an internet of things terminal whose effective behavior characteristic deviates from the baseline characteristic of the same model or the same type by more than a preset threshold based on the effective behavior characteristic:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension increasing processing, and determining the difference degree between the vector representation obtained by the dimension increasing processing and the vector representation of the event information of the terminal of the Internet of things;
and identifying the Internet of things terminal with the difference degree exceeding a preset threshold value in the Internet of things terminals of the same type or the same type as an abnormal terminal.
12. The apparatus of claim 7, further comprising:
the second identification unit is used for judging whether the event information of the Internet of things terminals contains characteristic behaviors generated by known attacks or not before the integration unit integrates the event information of the Internet of things terminals of the same model or the same type; and identifying the terminal of the Internet of things containing the characteristic behaviors generated by the known attack as an abnormal terminal.
13. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
14. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-6 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010292027.8A CN111565377B (en) | 2020-04-14 | 2020-04-14 | Security monitoring method and device applied to Internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010292027.8A CN111565377B (en) | 2020-04-14 | 2020-04-14 | Security monitoring method and device applied to Internet of things |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111565377A true CN111565377A (en) | 2020-08-21 |
| CN111565377B CN111565377B (en) | 2023-08-01 |
Family
ID=72073024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010292027.8A Active CN111565377B (en) | 2020-04-14 | 2020-04-14 | Security monitoring method and device applied to Internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111565377B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113965394A (en) * | 2021-10-27 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network attack information acquisition method and device, computer equipment and medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| CN107196930A (en) * | 2017-05-12 | 2017-09-22 | 苏州优圣美智能系统有限公司 | Method, system and the mobile terminal of computer network abnormality detection |
| US20180248905A1 (en) * | 2017-02-24 | 2018-08-30 | Ciena Corporation | Systems and methods to detect abnormal behavior in networks |
| CN108804914A (en) * | 2017-05-03 | 2018-11-13 | 腾讯科技(深圳)有限公司 | A kind of method and device of anomaly data detection |
| CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
| CN109711714A (en) * | 2018-12-24 | 2019-05-03 | 浙江大学 | Product quality prediction technique is assembled in manufacture based on shot and long term memory network in parallel |
| WO2019094729A1 (en) * | 2017-11-09 | 2019-05-16 | Strong Force Iot Portfolio 2016, Llc | Methods and systems for the industrial internet of things |
| CN109981617A (en) * | 2019-03-12 | 2019-07-05 | 深圳市智物联网络有限公司 | A kind of internet of things equipment monitoring method, system and electronic equipment and storage medium |
| CN110033014A (en) * | 2019-01-08 | 2019-07-19 | 阿里巴巴集团控股有限公司 | The detection method and its system of abnormal data |
| CN110807518A (en) * | 2019-11-06 | 2020-02-18 | 国网山东省电力公司威海供电公司 | Outlier detection method for power grid data |
| CN110855514A (en) * | 2019-09-30 | 2020-02-28 | 北京瑞航核心科技有限公司 | Behavior monitoring method focusing on safety of Internet of things entity |
-
2020
- 2020-04-14 CN CN202010292027.8A patent/CN111565377B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| US20180248905A1 (en) * | 2017-02-24 | 2018-08-30 | Ciena Corporation | Systems and methods to detect abnormal behavior in networks |
| CN108804914A (en) * | 2017-05-03 | 2018-11-13 | 腾讯科技(深圳)有限公司 | A kind of method and device of anomaly data detection |
| CN107196930A (en) * | 2017-05-12 | 2017-09-22 | 苏州优圣美智能系统有限公司 | Method, system and the mobile terminal of computer network abnormality detection |
| WO2019094729A1 (en) * | 2017-11-09 | 2019-05-16 | Strong Force Iot Portfolio 2016, Llc | Methods and systems for the industrial internet of things |
| CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
| CN109711714A (en) * | 2018-12-24 | 2019-05-03 | 浙江大学 | Product quality prediction technique is assembled in manufacture based on shot and long term memory network in parallel |
| CN110033014A (en) * | 2019-01-08 | 2019-07-19 | 阿里巴巴集团控股有限公司 | The detection method and its system of abnormal data |
| CN109981617A (en) * | 2019-03-12 | 2019-07-05 | 深圳市智物联网络有限公司 | A kind of internet of things equipment monitoring method, system and electronic equipment and storage medium |
| CN110855514A (en) * | 2019-09-30 | 2020-02-28 | 北京瑞航核心科技有限公司 | Behavior monitoring method focusing on safety of Internet of things entity |
| CN110807518A (en) * | 2019-11-06 | 2020-02-18 | 国网山东省电力公司威海供电公司 | Outlier detection method for power grid data |
Non-Patent Citations (2)
| Title |
|---|
| 李偲: "《面向视频物联网的安全防护机制的设计与实现》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 杨阳,王利斌,冯磊: "《以泛在电力物联终端行为分析为核心的物联网应用安全管控思路及实现》", 《电子世界》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113965394A (en) * | 2021-10-27 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network attack information acquisition method and device, computer equipment and medium |
| CN113965394B (en) * | 2021-10-27 | 2024-02-02 | 北京天融信网络安全技术有限公司 | Network attack information acquisition method, device, computer equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111565377B (en) | 2023-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101751535B (en) | Data loss protection through application data access classification | |
| EP3272097B1 (en) | Forensic analysis | |
| US20170149800A1 (en) | System and method for information security management based on application level log analysis | |
| CN111585799A (en) | Network fault prediction model establishing method and device | |
| CN111400357A (en) | Method and device for identifying abnormal login | |
| CN111614614B (en) | Safety monitoring method and device applied to Internet of things | |
| CN114726633B (en) | Traffic data processing method and device, storage medium and electronic equipment | |
| CN110865866B (en) | Virtual machine safety detection method based on introspection technology | |
| CN115034596A (en) | Risk conduction prediction method, device, equipment and medium | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| CN114338372A (en) | Network information security monitoring method and system | |
| CN111565377B (en) | Security monitoring method and device applied to Internet of things | |
| CN113132393A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN112926925A (en) | Product supervision method and device, electronic equipment and storage medium | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN116545740A (en) | Threat behavior analysis method and server based on big data | |
| CN109936528B (en) | Monitoring method, device, equipment and system | |
| CN116418591A (en) | Intelligent computer network safety intrusion detection system | |
| US20230315855A1 (en) | Exact restoration of a computing system to the state prior to infection | |
| CN116028917A (en) | Authority detection method and device, storage medium and electronic equipment | |
| CN114707144A (en) | Virtual machine escape behavior detection method and device | |
| CN111274089A (en) | Server abnormal behavior perception system based on bypass technology | |
| CN114154160B (en) | Container cluster monitoring method and device, electronic equipment and storage medium | |
| CN117034261B (en) | Exception detection method and device based on identifier, medium and electronic equipment | |
| CN117544327A (en) | Network security monitoring method, device, storage medium and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |